52 #define PARSE_REGEX "^\\s*!?([^\\s,]+)\\s*(,\\s*relative)?\\s*(,\\s*rawbytes\\s*)?\\s*$"
58 static void DetectIsdataatRegisterTests(
void);
100 char *args[3] = {NULL,NULL,NULL};
101 int ret = 0,
res = 0;
106 if (ret < 1 || ret > 4) {
113 res = pcre2_substring_get_bynumber(
114 parse_regex.
match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
119 args[0] = (
char *)str_ptr;
123 res = pcre2_substring_get_bynumber(
124 parse_regex.
match, 2, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
129 args[1] = (
char *)str_ptr;
132 res = pcre2_substring_get_bynumber(
133 parse_regex.
match, 3, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
138 args[2] = (
char *)str_ptr;
148 if (args[0][0] !=
'-' && isalpha((
unsigned char)args[0][0])) {
151 "var name for offset. \"offset\" argument supplied to "
152 "this function has to be non-NULL");
160 strlen(args[0]), args[0]) < 0 ) {
168 if (args[1] !=NULL) {
175 if (isdataatstr[0] ==
'!') {
179 for (i = 0; i < (ret -1); i++) {
181 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
189 for (i = 0; i < (ret -1) && i < 3; i++){
191 pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
218 idad = DetectIsdataatParse(
de_ctx, isdataatstr, &
offset);
251 "seen in isdataat - %s\n",
offset);
285 if (prev_pm == NULL) {
328 "preceding content option");
343 static int g_dce_stub_data_buffer_id = 0;
349 static int DetectIsdataatTestParse01 (
void)
353 idad = DetectIsdataatParse(NULL,
"30 ", NULL);
366 static int DetectIsdataatTestParse02 (
void)
370 idad = DetectIsdataatParse(NULL,
"30 , relative", NULL);
383 static int DetectIsdataatTestParse03 (
void)
387 idad = DetectIsdataatParse(NULL,
"30,relative, rawbytes ", NULL);
399 static int DetectIsdataatTestParse04(
void)
410 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
420 result &= (s->sm_lists[g_dce_stub_data_buffer_id] == NULL && s->sm_lists[
DETECT_SM_LIST_PMATCH] != NULL);
430 static int DetectIsdataatTestParse05(
void)
443 "(msg:\"Testing bytejump_body\"; "
444 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
446 "content:\"one\"; distance:0; "
447 "isdataat:4,relative; sid:1;)");
453 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
457 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_ISDATAAT);
466 "(msg:\"Testing bytejump_body\"; "
467 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
469 "content:\"one\"; distance:0; "
470 "isdataat:4,relative; sid:1;)");
471 if (s->
next == NULL) {
476 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
480 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_ISDATAAT);
489 "(msg:\"Testing bytejump_body\"; "
490 "dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; "
492 "content:\"one\"; distance:0; "
493 "isdataat:4,relative,rawbytes; sid:1;)");
494 if (s->
next == NULL) {
499 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] == NULL) {
503 result &= (s->sm_lists_tail[g_dce_stub_data_buffer_id]->type ==
DETECT_ISDATAAT);
512 "(msg:\"Testing bytejump_body\"; "
513 "content:\"one\"; isdataat:4,relative,rawbytes; sid:1;)");
514 if (s->
next == NULL) {
519 if (s->sm_lists_tail[g_dce_stub_data_buffer_id] != NULL) {
532 static int DetectIsdataatTestParse06(
void)
539 "(msg:\"Testing bytejump_body\"; "
541 "isdataat:!4,relative; sid:1;)");
554 "(msg:\"Testing bytejump_body\"; "
556 "isdataat: !4,relative; sid:2;)");
576 static int DetectIsdataatTestPacket01 (
void)
579 uint8_t *buf = (uint8_t *)
"Hi all!";
580 uint16_t buflen = strlen((
char *)buf);
586 if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
590 sigs[0]=
"alert ip any any -> any any (msg:\"Testing window 1\"; isdataat:6; sid:1;)";
591 sigs[1]=
"alert ip any any -> any any (msg:\"Testing window 2\"; content:\"all\"; isdataat:1, relative; isdataat:6; sid:2;)";
592 sigs[2]=
"alert ip any any -> any any (msg:\"Testing window 3\"; isdataat:8; sid:3;)";
593 sigs[3]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:5, relative; sid:4;)";
594 sigs[4]=
"alert ip any any -> any any (msg:\"Testing window 4\"; content:\"Hi\"; isdataat:6, relative; sid:5;)";
596 uint32_t sid[5] = {1, 2, 3, 4, 5};
618 static int DetectIsdataatTestPacket02 (
void)
621 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
622 "User-Agent: Wget/1.11.4"
624 "Host: www.google.com"
625 "Connection: Keep-Alive"
626 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
627 uint16_t buflen = strlen((
char *)buf);
634 char sig[] =
"alert tcp any any -> any any (msg:\"pcre with"
635 " isdataat + relative\"; pcre:\"/A(ll|pp)WorkAndNoPlayMakesWillA"
636 "DullBoy/\"; isdataat:96,relative; sid:1;)";
650 static int DetectIsdataatTestPacket03 (
void)
653 uint8_t *buf = (uint8_t *)
"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
654 "User-Agent: Wget/1.11.4"
656 "Host: www.google.com"
657 "Connection: Keep-Alive"
658 "Date: Mon, 04 Jan 2010 17:29:39 GMT";
659 uint16_t buflen = strlen((
char *)buf);
666 char sig[] =
"alert tcp any any -> any any (msg:\"byte_jump match = 0 "
667 "with distance content HTTP/1. relative against HTTP/1.0\"; byte_jump:1,"
668 "46,string,dec; isdataat:87,relative; sid:109; rev:1;)";
680 void DetectIsdataatRegisterTests(
void)
684 UtRegisterTest(
"DetectIsdataatTestParse01", DetectIsdataatTestParse01);
685 UtRegisterTest(
"DetectIsdataatTestParse02", DetectIsdataatTestParse02);
686 UtRegisterTest(
"DetectIsdataatTestParse03", DetectIsdataatTestParse03);
687 UtRegisterTest(
"DetectIsdataatTestParse04", DetectIsdataatTestParse04);
688 UtRegisterTest(
"DetectIsdataatTestParse05", DetectIsdataatTestParse05);
689 UtRegisterTest(
"DetectIsdataatTestParse06", DetectIsdataatTestParse06);
691 UtRegisterTest(
"DetectIsdataatTestPacket01", DetectIsdataatTestPacket01);
692 UtRegisterTest(
"DetectIsdataatTestPacket02", DetectIsdataatTestPacket02);
693 UtRegisterTest(
"DetectIsdataatTestPacket03", DetectIsdataatTestPacket03);